Optin Accelerator is a massive security risk for your customers – rather than fix the security problems, the new version just adds fluff without addressing core issues.
Anyone can make a mistake, release a product without considering all the possible ramifications, but to release Opt-in Accelerator again without major changes is irresponsible.
The Irresponsible Viral Tell-A-Friend Trio
So far there have been 3 such scripts I have written about, and there is a 4th “coming soon”
- My first coverage of Opt-in Accelerator
- Then there was Viral Optin Generator which may well have been a private label or resale rights product
- Viral Inviter is launching soon – last I saw of this script installed “out in the wild” it was a security risk
- There is another one I know about, TrafficXplode 2.0 which also features the same security risks
Relook @ Opt-In Accelerator
You see that big red circle I added?
That is the key to unlocking:-
- Your Email
- Your Google Adsense Account
- Your Google Adwords Account
- Google Analytics
- Google Website Optimizer
- Your PayPal Account
- Affiliate program passwords
- Access Your Blogger account
- Access any scripts that allow you to resend or reset passwords
- Open any social media profile that used that email address
- Did you use that address for domain records? Wave goodbye to your domains
I am not claiming that anyone creating such as script is dishonest, or even the people who might use them, but it takes a huge investment of manpower and financial muscle to keep personal data secure, and those are things most internet marketers don’t have.
All it takes is a script kiddie to come along and compromise the script running on your server, and then rather than acting as an “innocent” tell-a-friend script to boost your email subscribers, it would collect login and password information and forward it to an anonymous server.
All it would take is 2 lines of additional code
We will ignore many of the other potential problems with scraping the email services against their terms of service, potentially breaking the terms of the autoresponder service you use, or totally trashing your email deliverability as 100s of people flag your messages as spam.
I think Robert Plank covered that aspect of Opt-in Accelerator quite adequately.
Password data should never be entered in an insecure form hosted by someone without exceptional security in place.
Very Simple Mail To:
This example from Plurk (they also use the insecure method, and have been accused of spam with their Facebook implementation)
http://mail.google.com/mail/?view=cm&cmid=0&fs=1&su=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line&tearoff=1&shva=1&ui=1 http://compose.mail.yahoo.com/?Subj=Invitation+to+Plurk.com&Body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21+Accept+my+invitation+by+going+to%3A+http%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2.+Check+out+my+profile+by+going+to%3A+http%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard http://www.hotmail.msn.com/secure/start?action=compose&subject=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line
This code is wonderful because people use their own email server to send the emails, no strain on your servers, so it could be used on any server, even a shared account which has limitations on how many emails you can send per hour.
Google Yahoo and Microsoft also have APIs for this kind of stuff which can also be used for finding friends.
I should also mention the ongoing Oath efforts being made to create a unified interface for retrieving contact and other personal information with permission.
To be fair, I am going to give Jason a link with some partial counter arguments. He seems to think it is worth the risk.
The problem with that argument is that there is no need for this to be a security risk. It is just junk programming.